NIST Publishes Guide for Monitoring Security in Information Systems

A new computer security publication* from the National Institute of Standards and Technology (NIST) will help organizations understand their security posture against threats and vulnerabilities and determine how effectively their security controls are working.

Information Security Continuous Monitoring (ISCM) for Information Systems and Organizations (NIST Special Publication [SP] 800-137) aims to provide guidance for information security monitoring in all types of information systems – a term that encompasses not only computer networks but also a host of other interconnected devices and software. According to Kelley Dempsey, a researcher in NIST’s Computer Security Division and one of the authors, the publication is geared toward helping an organization ensure that its security measures are performing as desired over time.

“This is a guide for an organization that has already implemented the first five steps of the NIST Risk Management Framework (RMF) and is ready to move on to the last step, which is developing a systematic way of making sure the previous steps are implemented effectively,” says Dempsey. “Our publication can help an organization monitor the security posture of the organization and its systems on an ongoing basis.”

Dempsey says SP 800-137 is tightly coupled to two other NIST publications, SP 800-37 and SP 800-39, which describe all the steps in the risk management process. Those previous publications describe risk management and the RMF so that developers are able to determine a system’s boundaries, security category and required controls. Once these steps are complete, SP 800-137 can guide an organization’s efforts to monitor its system’s effectiveness in a customized fashion – something the authors describe as a move from “compliance-driven” to “data-driven” risk management.

“In the end, you don’t want to just get some generic to-do checklist and follow its orders – you want to get data from the systems within your organization and respond to it in a way appropriate for your own specific needs,” Dempsey says. “We hope this guide will enable users to do that.”

Dempsey adds that a major feature of SP 800-137 is a list of criteria to help users determine how frequently to monitor each of the controls in an information system. The list, she says, will help users perceive how often each control is to be checked – a frequency that may be different for each control.